Parameters of Privacy

In my last post, I ar­gued that peo­ple should prob­a­bly have more meta-dis­cus­sions about pri­vacy (rather than sim­ply as­sum­ing ev­ery­one was on the same page about how se­ri­ously to take con­fi­den­tial­ity)

What might that con­ver­sa­tion en­tail?

First, it’s worth first check­ing “Is this ac­tu­ally all that im­por­tant? Do you want me to try very hard to keep this pri­vate?” Much of the time, many peo­ple don’t care that strongly. They just don’t want you to go around blab­bing pub­li­cly, and would pre­fer if you err on the side of not spread­ing it if you can.

Sim­ply con­firm­ing that the stakes are low may be all that’s needed, and it’s good check that first to avoid spend­ing un­nec­es­sary effort.

(As I said in the com­ments last time: the rea­son I think it’s use­ful to check if the stakes are ac­tu­ally low, is that a) peo­ple some­times have differ­ent ex­pec­ta­tions, b) some­times, the am­bi­guity about “how se­ri­ously am I sup­posed to take pri­vacy here?” can be­come am­mu­ni­tion in a power game, and I’d pre­fer to re­move that am­bi­guity)

But if the stakes are mod­er­ate-to-high, you might talk through some pa­ram­e­ters be­fore re­veal­ing more in­for­ma­tion.

Note: I’m us­ing “se­cret” and “pri­vate in­for­ma­tion” some­what in­ter­change­ably here, be­cause “se­cret” is a shorter noun that’s eas­ier to work into sen­tences. I think there are ac­tu­ally some dis­tinc­tions be­tween them, but those dis­tinc­tions aren’t the point of this es­say.

Frames of Pri­vacy: Own­er­ship vs Caution

Ownership

One model of pri­vacy is own­er­ship based – I have some in­for­ma­tion, I’m con­sid­er­ing shar­ing the in­for­ma­tion with you, but want to “re­tain own­er­ship” over the in­for­ma­tion, such that you only use it in ways I en­dorse.

This could in­clude “my so­cial se­cu­rity num­ber”, or “my pri­vate feel­ings about a mat­ter.” It could also in­clude other peo­ple’s pri­vate in­for­ma­tion that I’ve been “loaned” (Alice shared her so­cial se­cu­rity num­ber or pri­vate feel­ings with me, and they be­long to Alice, but in this cir­cum­stance I’m con­fi­dent Alice would be fine with me shar­ing them with you so long as you agree to the same pri­vacy terms that I did)

Caution

But, a differ­ent model here is about “proper cau­tion.” Say I’m a physi­cist who dis­cov­ers how to build nu­clear re­ac­tors. As a sci­en­tist, I might gen­er­ally de­sire to share in­for­ma­tion and ed­u­cate peo­ple. I don’t are about “own­er­ship” of the idea.

But nu­clear re­ac­tors are dan­ger­ous, and I don’t want it to fall into the wrong hands. If I share it with other peo­ple, I might want to check: will they mi­suse the in­for­ma­tion? Will they share it with other peo­ple who might mi­suse the in­for­ma­tion?

Some­times the dan­ger comes from in­com­plete in­for­ma­tion – Carla over­hears Alice and Bob con­duct­ing an im­prove scene, where Bob is in­sult­ing Alice. If Carla were to tell some­one “Bob in­sulted Alice” but not “Bob and Alice were in an im­prov scene where the in­sults were com­pletely con­sen­sual”, she’d be spread­ing mis­in­for­ma­tion that harms Bob.

If Carla is con­sid­er­ing tel­ling Dave about the in­for­ma­tion, she might care about is whether Dave will make sure that if he tells any­one else, he con­veys the full story, not just “Bob in­sulted Alice.”

In gen­eral this frame is less con­cerned about own­er­ship, but about good judg­ment, which might be do­main spe­cific. (You trust Joe not to re­veal se­crets about nu­clear re­ac­tors, but might not trust his judg­ment in shar­ing per­sonal in­for­ma­tion that peo­ple might mis­in­ter­pret)

Other Frames

There may be other frames for pri­vacy. I think it’s good to at least be aware that you and your col­league might be op­er­at­ing in differ­ent frames, and which come with differ­ent as­sump­tions about what’s im­por­tant.

With that in mind, what are some spe­cific pa­ram­e­ters you might fine-tune for a given ex­change of pri­vate-in­for­ma­tion?

Parameters

i. Am I mak­ing a promise?

Pri­vacy is an im­por­tant tool for co­or­di­na­tion.

Another use­ful tool for co­or­di­na­tion is the spe­cific tech of “mak­ing a promise” – com­mit­ting to definitely make sure to get some­thing done (or not done). If I do not suc­cess­fully do the thing, you are right to judge me, and trust me less in the fu­ture. Break­ing a promise has longterm con­se­quences.

I think it’s quite im­por­tant to be able to make promises, and to be able to rely on peo­ple who make them.

Con­se­quently, I think it’s im­por­tant that our so­cial norms not re­quire peo­ple to ca­su­ally make promises that they can’t ac­tu­ally keep. Do­ing so erodes the tool of promise-mak­ing. And it fosters an en­vi­ron­ment where most peo­ple are guilty, but can be se­lec­tively pun­ished.

So I think it’s use­ful to more ex­plic­itly dis­t­in­guish “pri­vate in­for­ma­tion that you’re mak­ing a rea­son­ably good faith effort to con­tain” and “pri­vate in­for­ma­tion you’re mak­ing a promise to con­tain.”

I gen­er­ally don’t think it makes sense to make promises by de­fault.

ii. Who am I keep­ing this se­cret from, and to what de­gree?

One might want any of the fol­low­ing:

  1. Never re­veal *any* in­for­ma­tion that al­lows any­one to make up­dates about the se­cret, in­clud­ing microex­pres­sions. (This is quite hard, and I don’t think should gen­er­ally be ex­pected)

  2. Don’t re­veal more than “I can’t talk about that be­cause of con­fi­den­tial­ity”ere

  3. Don’t tell any­one di­rectly about the secret

  4. Don’t spread the se­cret more than N degrees

  5. Make sure the in­for­ma­tion doesn’t spread to a par­tic­u­lar per­son.

  6. Make sure the se­cret doesn’t reach peo­ple who might use it to hurt the in­group.

  7. You can talk about the se­cret, but not re­veal the par­tic­u­lars.

  8. Any of the above, but you can have a con­fi­dant.

I want to draw par­tic­u­lar at­ten­tion to that last point. One thing I’ve found fairly bur­den­some about pri­vacy is not hav­ing some­one who can help me think through the ram­ifi­ca­tions of a situ­a­tion.

iii. What Skills Am I Ex­pected to Have?

Depend­ing on the pre­vi­ous ques­tion, you might need to have par­tic­u­lar skills:

For not re­veal­ing in­for­ma­tion:

  • Re­mem­ber­ing not to tell the se­cret in the first place.

  • Grace­fully segue­ing a con­ver­sa­tion so as not to re­veal that you al­most re­vealed something

  • Think­ing fast enough to re­spond to di­rect in­ter­ro­ga­tion with­out re­veal­ing in­for­ma­tion. Or...

  • ...re­mov­ing your­self from the con­ver­sa­tion (awk­wardly if nec­es­sary).

  • Con­trol over your microex­pres­sions.

At­ten­tion to con­text:

  • Aware­ness of which peo­ple talk to each other (i.e. if tell Carla, is she likely to tell Bob?)

  • Good judg­ment about the ob­ject-level con­tent of the in­for­ma­tion. Un­der what sorts of cir­cum­stances might it be harm­ful for some­one to know it, or spread it?

  • Good judg­ment about which other peo­ple are okay to tell (in­clud­ing whether they have any of these skills)

Psy­cholog­i­cal safety:

  • Some se­crets are hard to bear alone, or even some­times in a small group. Do I have the re­silience to hold the se­cret with­out feel­ing iso­lated and stressed?

  • If a se­cret is a literal in­fo­haz­ard that might harm the listener, do I ac­tu­ally have the skills to think through that in­fo­haz­ard safely? (this in­cludes lots of sub­skills which de­pends on the in­fo­haz­ard)

Then, there’s self-aware­ness about how good you are at each of these skills.

iv. Duration

How long do you need to keep the se­cret? Liter­ally un­til the day you die? Un­til some cur­rent con­tro­versy has blown over, or some product launched?

Most of why I’m averse to keep­ing se­crets has to do with the cog­ni­tive over­head of track­ing mul­ti­ple se­crets that ac­cu­mu­late over time. Time-limited se­crets avoid se­cret-creep.

v. Es­cape Clauses

There are some cir­cum­stances where I might end up re­gret­ting hav­ing made an all-en­com­pass­ing promise. If a se­cret is im­por­tant to some­one, I try to talk through

Two clusters of rea­sons are:

Costs/​Benefits in lo­cal situations

Some­times a se­cret it’s that that big a deal, and mean­while, a situ­a­tion comes up where it’s hard for me to have a con­ver­sa­tion with Bob with­out in­ad­ver­tently re­veal­ing some facts that re­late to a se­cret Alice told me.

It’d be quite valuable to have the con­ver­sa­tion openly with Bob, and mean­while I’m pretty con­fi­dent it wouldn’t harm Alice or any­one else to tell Bob.

Now, this is the sort of judg­ment call that re­sults in mis­matched ex­pec­ta­tions and feel­ings of be­trayal, and I’m not ad­vo­cat­ing that peo­ple unilat­er­ally de­cide to share in­for­ma­tion when­ever it feels con­ve­nient. But, I do think peo­ple un­der­es­ti­mate the costs here some­times when agree­ing to keep some­thing pri­vate in the first place. If you were try­ing se­ri­ously to keep a se­cret, of­ten that means keep­ing a lot of re­lated de­tails se­cret, and that ends up mak­ing it re­ally hard to have what would oth­er­wise be an in­nocu­ous con­ver­sa­tion.

So, be­fore agree­ing to keep some­thing pri­vate, I try to get a sense of how im­por­tant it ac­tu­ally is to the per­son, and to talk through this con­sid­er­a­tion ex­plic­itly.

Pat­terns of Manipulation

I’ll have a whole other blog­post about this. But quickly not­ing for now: one ma­jor is­sue with pri­vacy is that it can be used to pro­tect bad ac­tors.

I’ve met a cou­ple peo­ple who ex­ploited my will­ing­ness-to-keep-things-con­fi­den­tial, which made it harder for me to share notes about them with other peo­ple. They gen­er­ally pushed for con­fi­den­tial­ity in a way that damp­ened an en­tire com­mu­nity’s abil­ity to no­tice that they were harm­ing peo­ple.

I’m still figur­ing out ex­actly how to think about this. But, I know have a gen­eral es­cape clause in all pri­vacy promises: If I come to be­lieve that you are ma­nipu­lat­ing and harm­ing peo­ple, I may re­veal some things you told me in con­fi­dence (in as con­trol­led and hon­or­able a way I can think of). If you choose to tell me the se­cret, you’re trust­ing that a) I have good judg­ment about that, and b) that the se­cret is not some­thing I’m likely to per­ceive as part of a ma­nipu­la­tive pat­tern.

Sen­si­ble Defaults

Ne­go­ti­at­ing all that in­di­vi­d­u­ally each time is a pain, and you prob­a­bly don’t want to do it each time. Also, most peo­ple don’t en­joy meta-dis­cus­sion as much as I do, and you prob­a­bly don’t want to dump 1-3 blog­posts worth of ma­te­rial on most peo­ple the first time pri­vate-in­for­ma­tion comes up.

Ob­vi­ously peo­ple may vary in what de­faults make sense. In a fu­ture post, I’ll lay out my en­tire pri­vacy policy more ex­plic­itly, but for now it seemed good to list as an ex­am­ple my most com­mon de­faults.

My de­faults:

  1. Try to no­tice when peo­ple are shar­ing in­for­ma­tion that is com­monly-coded “pri­vate”, and get the per­son to stop un­til we’ve chat­ted at least briefly about all this.

  2. Don’t make promises by de­fault.

  3. Do offer “low effort not-too-re­li­able pseu­do­pri­vacy” (clearly la­beled as such)

  4. Do offer “rea­son­able good faith effort to keep things pri­vate” (with­out promis­ing) fairly eas­ily to peo­ple who need it.

  5. When higher de­grees of pri­vacy are re­quired, al­most always have a con­fi­dant who is able to offer an out­side per­spec­tive on the situ­a­tion.

  6. If I take on semi-pri­vate in­for­ma­tion, and need to share it with oth­ers, try to have the oth­ers take on a higher de­gree of pri­vacy than I did, to limit it’s spread. (i.e it’s of­ten ba­si­cally fine for some info to spread a lit­tle, Alice just didn’t want it spread­ing across the whole in­ter­net)